Case #1: Major Incident Response

The attack: In mid-2017, one of SOHO’s strategy consultancy clients fell victim to a sophisticated spear-phishing attack which targeted administrative-level staff in the organisation and resulted in email accounts being accessed without authorisation.

The damage: Data was exfiltrated from the organisation’s network, and the attackers – seemingly driven by profit – assumed the identity of multiple individuals within the organisation to initiate fraudulent bank transfers to accounts under their control.

What happened next: SOHO was brought in by the Chief Executive and Board of Directors to immediately triage the situation. We conducted an initial assessment and determined that the attackers likely still had access to a number of accounts. We took immediate steps to eject the attackers from the network, account credentials were reset across the board, and compromised systems were updated and technically secured.

The work we did: In addition to immediately securing the current system, cyber-hygiene training was delivered to key members of staff, and policies were put in place to prevent a re-occurence of either the initial breach or subsequent unauthorised wire transfers. The organisation’s risk-register was updated to reflect a broad range of cyber risks, data storage and security practices were reviewed, and two-factor authentication was introduced on a broad range of organisationally critical online services. Two reports were produced: the first exploring the source of the compromise, and identifying likely-perpetrators; the second detailing all actions taken to date and the current status of the network. These reports were subsequently shared by the board with regulators and law-enforcement.

Case #2: Website Compromise

The attack: In early-2017, SOHO discovered that a different client (this time a non-profit organisation whom wehad previously advised) had been the victims of a hack. Due to an outdated content-management system (CMS) used on their website, their backend server had been compromised, and spammers had begun injecting hidden links onto pages (some pointing to rather objectionable content). As a result, the domain had been blacklisted in Google and users were warned to stay away from the website. Being a small charity, the potential for real outsized impact on their operations and fundraising capability was significant.

Our response: As soon as the attack was detected, with the client’s permission, steps were taken to eject attackers from the server and roll back the damage done. The resulting spam was removed and the website quickly re-indexed by Google, minimising the reputational damage and any potential monetary losses to the charity. SOHO recommended a move away from the custom-developed CMS in-use and advised on the implementation of a range of free, open-source alternatives.